Jump to content

MBAM no-go, HJT No-go, Clamwin keeps finding viruses.


mpyusko
 Share

Recommended Posts

MalwareBytes' Anit-malware won't run and most of the time is won't even install.

HiJackThis won't install or run.

Clamwin installs, runs and continually finds viruses.

Toshiba Laptop

Intel Core2 Duo 1.6 GHz

1.5 GB ram

Windows Vista SP1 (sigh)

All software is the most recent updates/ releases.

Since I don't have any MBAM or HTJ logs to post, I will post the Clamwin Logs.

There is a scan running right now. It did find another virus. The computer will only run in safe mode. When I boot to Normal, the computer hangs showing a black screen with a functioning mouse pointer. Nothing else and the clicks have no effect.

Thanks for any help!

________________________________________________________________________________

____________________________________________

Scan Started Tue Sep 08 16:26:16 2009

-------------------------------------------------------------------------------

C:\pagefile.sys: Permission denied

C:\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll: moved to 'C:\ProgramData\.clamwin\quarantine\npclntax_ZangoSA.dll.infected'

C:\ProgramData\.clamwin\quarantine\npclntax_ZangoSA.dll.infected not moved/copied since already in quarantine

C:\Users\All Users\.clamwin\quarantine\npclntax_ZangoSA.dll.infected: moved to 'C:\ProgramData\.clamwin\quarantine\npclntax_ZangoSA.dll.infected.000'

C:\Users\rene\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: no action performed on a mailbox

C:\Users\rene\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1: Permission denied

C:\Windows\System32\catroot2\127D0A1D-4EF2-11D1-8608-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\config\COMPONENTS: Permission denied

C:\Windows\System32\config\COMPONENTS.LOG1: Permission denied

C:\Windows\System32\config\DEFAULT: Permission denied

C:\Windows\System32\config\DEFAULT.LOG1: Permission denied

C:\Windows\System32\config\RegBack\COMPONENTS: Permission denied

C:\Windows\System32\config\RegBack\DEFAULT: Permission denied

C:\Windows\System32\config\RegBack\SAM: Permission denied

C:\Windows\System32\config\RegBack\SECURITY: Permission denied

C:\Windows\System32\config\RegBack\SOFTWARE: Permission denied

C:\Windows\System32\config\RegBack\SYSTEM: Permission denied

C:\Windows\System32\config\SAM: Permission denied

C:\Windows\System32\config\SAM.LOG1: Permission denied

C:\Windows\System32\config\SECURITY: Permission denied

C:\Windows\System32\config\SECURITY.LOG1: Permission denied

C:\Windows\System32\config\SOFTWARE: Permission denied

C:\Windows\System32\config\SOFTWARE.LOG1: Permission denied

C:\Windows\System32\config\SYSTEM: Permission denied

C:\Windows\System32\config\SYSTEM.LOG1: Permission denied

C:\Windows\Temp\~DF2663.tmp: Permission denied

C:\Windows\Temp\~DF551D.tmp: Permission denied

C:\Windows\Temp\~DF86FD.tmp: Permission denied

C:\Windows\Temp\~DFAB3B.tmp: Permission denied

C:\Windows\Temp\~DFD380.tmp: Permission denied

C:\Windows\Temp\~DFE419.tmp: Permission denied

C:\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll: Adware.Zango-14 FOUND

C:\ProgramData\.clamwin\quarantine\npclntax_ZangoSA.dll.infected: Adware.Zango-14 FOUND

C:\Users\All Users\.clamwin\quarantine\npclntax_ZangoSA.dll.infected: Adware.Zango-14 FOUND

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND

----------- SCAN SUMMARY -----------

Known viruses: 621888

Engine version: 0.95.2

Scanned directories: 21966

Scanned files: 126856

Infected files: 4

Not copied: 1

Data scanned: 39027.72 MB

Data read: 33989.04 MB (ratio 1.15:1)

Time: 20196.407 sec (336 m 36 s)

--------------------------------------

Completed

--------------------------------------

________________________________________________________________________________

________________________________________

Scan Started Thu Sep 10 06:32:44 2009

-------------------------------------------------------------------------------

C:\pagefile.sys: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: no action performed on a mailbox

C:\Users\rene\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1: Permission denied

C:\Windows\System32\catroot2\127D0A1D-4EF2-11D1-8608-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\config\COMPONENTS: Permission denied

C:\Windows\System32\config\COMPONENTS.LOG1: Permission denied

C:\Windows\System32\config\DEFAULT: Permission denied

C:\Windows\System32\config\DEFAULT.LOG1: Permission denied

C:\Windows\System32\config\RegBack\COMPONENTS: Permission denied

C:\Windows\System32\config\RegBack\DEFAULT: Permission denied

C:\Windows\System32\config\RegBack\SAM: Permission denied

C:\Windows\System32\config\RegBack\SECURITY: Permission denied

C:\Windows\System32\config\RegBack\SOFTWARE: Permission denied

C:\Windows\System32\config\RegBack\SYSTEM: Permission denied

C:\Windows\System32\config\SAM: Permission denied

C:\Windows\System32\config\SAM.LOG1: Permission denied

C:\Windows\System32\config\SECURITY: Permission denied

C:\Windows\System32\config\SECURITY.LOG1: Permission denied

C:\Windows\System32\config\SOFTWARE: Permission denied

C:\Windows\System32\config\SOFTWARE.LOG1: Permission denied

C:\Windows\System32\config\SYSTEM: Permission denied

C:\Windows\System32\config\SYSTEM.LOG1: Permission denied

C:\Windows\Temp\~DF2663.tmp: Permission denied

C:\Windows\Temp\~DF551D.tmp: Permission denied

C:\Windows\Temp\~DF86FD.tmp: Permission denied

C:\Windows\Temp\~DFAB3B.tmp: Permission denied

C:\Windows\Temp\~DFD380.tmp: Permission denied

C:\Windows\Temp\~DFE419.tmp: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND

----------- SCAN SUMMARY -----------

Known viruses: 621910

Engine version: 0.95.2

Scanned directories: 21860

Scanned files: 126555

Infected files: 1

Data scanned: 38905.48 MB

Data read: 33866.68 MB (ratio 1.15:1)

Time: 18820.760 sec (313 m 40 s)

--------------------------------------

Completed

--------------------------------------

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Thank you for the advice. I couldn't get that to run either. I found this post on the internet... http://answers.yahoo.com/question/index?qi...07193156AAtqUvg and now MBAM is running. All I did was copy mbam.exe into the same folder "mbam - copy.exe" then I renamed it to simply "1.exe". So far it has been running for 7 minutes and has found 10 infected files.

Also, after sitting at a black screen with a mouse pointer for an undetermined extended period of time (I fell asleep after a couple hours and woke up this morning) Vista had finally finished booting into normal mode. We'll see how this turns out.

Link to post
Share on other sites

after 39 minutes at 28 seconds it found 25 infected objects.

ClamWin...

Scan Started Fri Sep 11 16:54:27 2009

-------------------------------------------------------------------------------

C:\pagefile.sys: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: no action performed on a mailbox

C:\Users\rene\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1: Permission denied

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1: Permission denied

C:\Windows\System32\catroot2\127D0A1D-4EF2-11D1-8608-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE\catdb: Permission denied

C:\Windows\System32\config\COMPONENTS: Permission denied

C:\Windows\System32\config\COMPONENTS.LOG1: Permission denied

C:\Windows\System32\config\DEFAULT: Permission denied

C:\Windows\System32\config\DEFAULT.LOG1: Permission denied

C:\Windows\System32\config\RegBack\COMPONENTS: Permission denied

C:\Windows\System32\config\RegBack\DEFAULT: Permission denied

C:\Windows\System32\config\RegBack\SAM: Permission denied

C:\Windows\System32\config\RegBack\SECURITY: Permission denied

C:\Windows\System32\config\RegBack\SOFTWARE: Permission denied

C:\Windows\System32\config\RegBack\SYSTEM: Permission denied

C:\Windows\System32\config\SAM: Permission denied

C:\Windows\System32\config\SAM.LOG1: Permission denied

C:\Windows\System32\config\SECURITY: Permission denied

C:\Windows\System32\config\SECURITY.LOG1: Permission denied

C:\Windows\System32\config\SOFTWARE: Permission denied

C:\Windows\System32\config\SOFTWARE.LOG1: Permission denied

C:\Windows\System32\config\SYSTEM: Permission denied

C:\Windows\System32\config\SYSTEM.LOG1: Permission denied

C:\Windows\Temp\~DF2663.tmp: Permission denied

C:\Windows\Temp\~DF551D.tmp: Permission denied

C:\Windows\Temp\~DF86FD.tmp: Permission denied

C:\Windows\Temp\~DFAB3B.tmp: Permission denied

C:\Windows\Temp\~DFD380.tmp: Permission denied

C:\Windows\Temp\~DFE419.tmp: Permission denied

C:\Users\rene\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5DDE58A7-00000394.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND

----------- SCAN SUMMARY -----------

Known viruses: 621979

Engine version: 0.95.2

Scanned directories: 21866

Scanned files: 126583

Infected files: 1

Data scanned: 38299.18 MB

Data read: 34159.91 MB (ratio 1.12:1)

Time: 8870.796 sec (147 m 50 s)

--------------------------------------

Completed

--------------------------------------

________________________________________________________________________________

___________________________________________

MBAM Log......

Malwarebytes' Anti-Malware 1.41

Database version: 2784

Windows 6.0.6001 Service Pack 1

9/12/2009 12:42:39 PM

mbam-log-2009-09-12 (12-42-39).txt

Scan type: Full Scan (C:\|)

Objects scanned: 230754

Time elapsed: 39 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 10

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\System32\UACkrokymhyro.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:

HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:

\\?\globalroot\systemroot\System32\UACkrokymhyro.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\NetFilter.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Users\rene\Desktop\AV2010.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.

C:\Users\rene\Desktop\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.